Mac OS X malware on the loose?

byIan BetteridgeonOctober 31, 2007

Intego has a report of what looks like a classic piece of malware appearing on the Mac. What it is calling OSX.RSPlug.A Trojan Horse is a trojan which purports to be a codec required to view adult videos, which in fact installs something much more nasty:

“This Trojan horse, a form of DNSChanger, uses a sophisticated method, via the scutil command, to change the Mac’s DNS server (the server that is used to look up the correspondences between domain names and IP addresses for web sites and other Internet services). When this new, malicious, DNS server is active, it hijacks some web requests, leading users to phishing web sites (for sites such as Ebay, PayPal and some banks), or simply to web pages displaying ads for other pornographic web sites. In the first case, users may think they are on legitimate sites and enter a user name and password, a credit card, or an account number, which will then be hijacked. In the latter case, it seems that this is being done solely to generate ad revenue.”

This is a classic trojan, and is very typical of the kinds of malware seen on Windows. As I’ve said on several occasions, the impression that most Mac users have of malware – that it relies on flaws in the operating system for infection – is false. The vast majority of modern Windows malware works by fooling the user into allowing an install, usually by getting them to run an application either from a web site or received through email.

There’s no indication from Intego of how far this has spread, but from the description it certainly sounds like it’s in the wild, and if you’re in the habit of visit the more dubious parts of the internet – or, for that matter, downloading pirate copies of bran new operating systems – it would be wise to be very careful about anything which asks you to install software.

I’m sure there will be much more about this over the next couple of days.

UPDATE: Rob Griffiths at Macworld has written up instructions on how to manually remove the malware if you have it.